[OpenAFS] mod_waklog question
Jason Edgecombe
jwedgeco@uncc.edu
Tue, 11 Jul 2017 13:13:22 -0400
--001a1145171a7c98f605540dd397
Content-Type: text/plain; charset="UTF-8"
After running "k5start -t -f keytab principal_for_httpd bash", run "id" and
look at the groups entries. If you have a new PAG, then you'll see a group
with a high GID (like 10 digits), but no name.
Here is a snippet of my "id" output
uid=12345(jwedgeco) gid=500(domain users) groups=500(domain
users),3455(linux-team),999 (all-users),1095560020 context=...
In the above output, the 1095560020 is the temporary fake group gid
associated with my PAG.
The other way to see if it has a new PAG, is to run to kstart commands a
few seconds apart in separate windows and compare the "tokens" command
output to make sure that are different.
Jason
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedgeco@uncc.edu | http://engr.uncc.edu | Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943. Thank you.
On Tue, Jul 11, 2017 at 10:12 AM, Andreas Ladanyi <andreas.ladanyi@kit.edu>
wrote:
> Hi Jason,
>
> Hi Andreas,
>
> Getting systemd, apache, and kstart to play nice took a little bit of
> work. I have included a sanitized copy of my Apache systemd unit file. Be
> sure to modify the ExecStart line to have the correct keytab location and
> principal name.
>
> I have NOT tested this in selinux enforcing mode, so beware.
>
> selinux is in permissive mode.
>
>
> I think that kstart does create a new PAG, but I'm not certain. Be sure to
> verify that by running bash via kstart, then running "id" to see if an
> extra high-numbered numeric group appears. If no new PAG is created, then
> you might play with the pagsh command.
>
> k5start -t -f keytab principal_for_httpd bash
> result in a new bash shell with same user id and because the -t switch it
> creates new afs service token. A new /tmp/krb5cc.... file is created.
>
> How could i verify if a new pag is created or not ?
>
> Thx for the systemd snipped.
>
> regards,
> Andreas
>
--001a1145171a7c98f605540dd397
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif">After running "<span style=3D"font-size:12.8px">k5=
start -t -f keytab principal_for_httpd bash", run "id" and l=
ook at the groups entries. If you have a new PAG, then you'll see a gro=
up with a high GID (like 10 digits), but no name.</span></div><div class=3D=
"gmail_default" style=3D"font-family:arial,helvetica,sans-serif"><span styl=
e=3D"font-size:12.8px"><br></span></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif"><span style=3D"font-size:12.8px=
">Here is a snippet of my "id" output</span></div><div class=3D"g=
mail_default" style=3D"font-family:arial,helvetica,sans-serif"><span style=
=3D"font-size:12.8px"><br></span></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif"><span style=3D"font-size:12.8px=
"><div class=3D"gmail_default">uid=3D12345(jwedgeco) gid=3D500(domain users=
) groups=3D500(domain users),3455(linux-team),999 (all-users),1095560020 co=
ntext=3D...</div><div class=3D"gmail_default"><br></div><div class=3D"gmail=
_default">In the above output, the=C2=A01095560020 is the temporary fake gr=
oup gid associated with my PAG.</div><div class=3D"gmail_default"><br></div=
><div class=3D"gmail_default">The other way to see if it has a new PAG, is =
to run to kstart commands a few seconds apart in separate windows and compa=
re the "tokens" command output to make sure that are different.</=
div><div class=3D"gmail_default"><br></div><div class=3D"gmail_default">Jas=
on</div><div><br></div></span></div></div><div class=3D"gmail_extra"><br cl=
ear=3D"all"><div><div class=3D"gmail_signature" data-smartmail=3D"gmail_sig=
nature"><div dir=3D"ltr">--------------------------------------------------=
-------------------------<br>
Jason Edgecombe | Linux Administrator<br>
UNC Charlotte | The William States Lee College of Engineering<br>
9201 University City Blvd. | Charlotte, NC 28223-0001<br>
Phone: <a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank=
"><span>704</span>-<span>687</span>-<span>1943</span></a><br>
<a href=3D"mailto:jwedgeco@uncc.edu" target=3D"_blank">jwedgeco@uncc.edu</a=
> | <a href=3D"http://engr.uncc.edu" target=3D"_blank">http://engr.uncc.edu=
</a> | =C2=A0Facebook<br>
---------------------------------------------------------------------------=
<br>
If you are not the intended recipient of this transmission or a person=20
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this=20
transmission is strictly prohibited. If you have received this=20
transmission in error, please notify me immediately by reply e-mail or=20
by telephone at<br>
<a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank"><span=
>704</span>-<span>687</span>-<span>1943</span></a>.=C2=A0 Thank you.</div><=
/div></div>
<br><div class=3D"gmail_quote">On Tue, Jul 11, 2017 at 10:12 AM, Andreas La=
danyi <span dir=3D"ltr"><<a href=3D"mailto:andreas.ladanyi@kit.edu" targ=
et=3D"_blank">andreas.ladanyi@kit.edu</a>></span> wrote:<br><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
;padding-left:1ex">
=20
=20
=20
<div text=3D"#000000" bgcolor=3D"#FFFFFF">
<div class=3D"m_-8067950797075267580moz-cite-prefix">Hi Jason,<br>
</div><span class=3D"">
<blockquote type=3D"cite">
<div dir=3D"ltr">
<div class=3D"gmail_default">
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Hi Andreas,</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Getting systemd, apache, and kstart to play
nice took a little bit of work. I have included a
sanitized copy of my Apache systemd unit file. Be sure to
modify the ExecStart line to have the correct keytab
location and principal name.</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">I have NOT tested this in selinux enforcing
mode, so beware.</font></div>
</div>
</div>
</blockquote>
</span><font face=3D"arial, helvetica, sans-serif">selinux is in permis=
sive
mode.</font><span class=3D""><br>
<blockquote type=3D"cite">
<div dir=3D"ltr">
<div class=3D"gmail_default">
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">I think that kstart does create a new PAG, but
I'm not certain. Be sure to verify that by running bash
via kstart, then running "id" to see if an extra
high-numbered numeric group appears. If no new PAG is
created, then you might play with the pagsh command.</font></=
div>
</div>
</div>
</blockquote>
</span><font face=3D"arial, helvetica, sans-serif">k5start -t -f keytab
principal_for_httpd bash<br>
result in a new bash shell with same user id and because the -t
switch it creates new afs service token. A new /tmp/krb5cc....
file is created.<br>
<br>
How could i verify if a new pag is created or not ?<br>
<br>
Thx for the systemd snipped.<br>
<br>
regards,<br>
Andreas<br>
</font>
</div>
</blockquote></div><br></div>
--001a1145171a7c98f605540dd397--